“There is a time-tested security method that can reliably disarm the IoT threat”
IoT (internet of things) security has now literally become a matter of life and death. “We have seen an avalanche of potentially deadly vulnerabilities in connected devices, and I don’t even want to imagine what could happen if this trajectory continues – but there is a time-tested security method that now has been modified so that it can also reliably disarm the IoT threat,” says Tejas Lagad, country manager for India at identity and security company Nexus Group.
In 2015, Chrysler had to recall of 1.4 million vehicles after a pair of hackers demonstrated that they could remotely hijack a Jeep’s digital systems over the internet.
Hackers took over the car brakes
“They could wirelessly hack into a car and take over dashboard functions, steering, transmission and brakes. For Chrysler, the fix was embarrassing and costly. For Jeep owners, the poor authentication in the remote connection was a matter of life and death,” says Lagad.
A year later, Johnson & Johnson warned doctors and 114,000 patients of a security vulnerability in one of its insulin pumps, which could be exploited to overdose diabetic patients with insulin.
Strong authentication – a necessity
“These are only two of many examples of poor IoT security that have highlighted how utterly important trustworthy authentication has become. Strong authentication is what makes it possible for connected things to communicate securely, and avoid eavesdroppers and hijackers,” says Lagad.
The prospect of someone remotely administering you an overdose or crashing your car with you in it is terrifying for anyone, and some people are arguing that the internet of things will do more harm than good.
Time to go back to security basics
“But is going back to the dark ages really the right answer to the very real dangers that connected things entail? No. Instead, the time has come to go back to security basics. To something tried and tested. To something that has secured the internet over the past 20 years, by enabling HTTPS. It is time to start using public key infrastructure (PKI) for IoT security too,” says Lagad.
The PKI security method enables trusted electronic identities for people and things, which make it possible to implement strong authentication, data encryption and digital signatures.
PKI has never been hacked
“There are other ongoing attempts to try to reliably protect connected devices – but why reinvent the wheel? PKI has never been hacked. It used to be expensive and complicated, but it isn’t any longer.”
All manufacturers of connected devices pay a lot of attention to interoperability and connectivity, since they know that these factors are a necessity for successful sales. There has to be a mental shift, where security is seen as equally important, says Lagad.
Making the IoT secure by design
“Manufacturers have to start making connected devices secure by design, by building in support for the digital certificates that ensure the trustworthiness of the digital identities in a PKI,” says Lagad.
Earlier, it was complicated to provision digital certificates to things, but that has changed. New certificate enrollment protocols, most notably Enrollment over Secure Transport (EST), makes the process much more streamlined.
“And the upcoming EST over secure CoAP standard (EST-coaps) will improve the provisioning process even more. This means that there are no longer any valid reasons to risk lives by not using PKI,” says Lagad.
Published 15/11 2017